Deutch: Government not doing enough to protect IT

The government hasn't paid enough attention to protecting the nation's IT infrastructure, even as threats continue to mount, a former CIA director said today.

Still, agencies are waking up to new security technologies and creating a growing opportunity for vendors and systems integrators, said John Deutch, CIA director from 1995 to 1996.

"Interest in secure information technology products and services is everywhere in government and that bodes well for [technology companies]," Deutch said.

Deutch, a professor at the Massachusetts Institute of Technology, spoke at the CardTech/SecurTech Conference in Washington. He warned that the country's critical infrastructure remains vulnerable to attacks from hackers, terrorist groups and foreign governments intent on disrupting critical industries and services.

Deutch said as recently as five years ago, not a single government facility was adequately protected against someone posing as an IT supplier who wanted to gain access to agency networks. Although security has improved, Deutch said vulnerabilities still exist.

Part of the difficulty in protecting the nation's IT infrastructure is a lack of government oversight. Deutch said responsibility for coordinating security has bounced around departments before coming to rest at the Homeland Security Department. Now he worries Homeland Security has too many other things on its plate, including transportation security and threats from weapons of mass destruction, to adequately focus on protecting IT infrastructure.

"We have to begin by establishing serious industry-government working groups," Deutch said.

The working groups should cover major parts of the nation's IT infrastructure, including financial services, telecommunications, aviation security and utilities, Deutch said. The working groups would be responsible for defining public and private roles in IT security, exchanging best practices, establishing standards and sharing lessons learned.

Deutch said depending on the nature of the cyberattack, it's not clear whether critical systems could recover in a matter of hours or even days.

"Interruption could be catastrophic for government operations," he said.